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The effective use of the informational instrument of national power in all 
domains, and the use of all the instruments of national power in the cyber 
domain, will be a serious and growing challenge for the United States. The 
next U.S. President must have a clear understanding of the relationship of 
technology, law, and policy in formulating options. Centralized but not 
procrustean, leadership at the highest level, providing a clear and rational 
delineation of authorities, will be needed to coordinate and effectively employ 
U.S. cyber and information capabilities. Internationally, engaging with allies 
and partners will be vital to our defense; engaging with adversaries will require 
a new understanding of deterrence and counter-espionage in cyberspace. 
Domestically, new approaches to public-private partnerships will be key to 
addressing threats, preserving civil liberties, and unleashing our potential for 
improved governance and expanded commerce. 

B y any measure, the United States leads the world as a cyber power in 
terms of its cyberspace-related leadership and capabilities, research 
and development, innovation, and commercialization of leading-edge 
hardware and software, as well as more specialized products for military 
and scientific applications. This is also true for the world of information. 
Without any whole-of-government coordination, the United States pro¬ 
duces and exports the lion’s share of globally consumed television, film, 
music, and games, as well as data, information, and knowledge systems. 
Its advances in mobile communications and social media have revolu¬ 
tionized the way the global community communicates, learns, and even 
thinks. 

With this largely unplanned success has come a series of challenges, 
many of which require a more deliberate approach and a national-lev- 
el strategic effort with Presidential leadership to resolve. This chapter 
provides summary views of many of these challenges and offers recom- 
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Figure 1. Framing Cyberspace mendations by which the admin¬ 
istration could gain traction over 
even the most daunting issues in 
the information and cyberspace 
domain. 

From the perspective of the 
Department of Defense (DOD), 
the term cyberspace is defined as 
a global domain within the infor¬ 
mation environment consisting 
of interdependent networks of in¬ 
formation technology infrastruc¬ 
tures and resident data, including 
the Internet, telecommunications 
networks, computer systems, and embedded processors and control¬ 
lers . 1 Protecting this domain is a national priority. It underpins U.S. and 
global commerce, governmental and private discourse, innovation, and 
creativity. It has evolved into an essential enabler of governance, busi¬ 
ness, and personal transactions. It has elevated the impact of information 
in all its forms and provides both opportunities for and limitations to the 
way we conduct our national security strategy. 

The actors with whom the United States must engage (and sometimes 
counter) include capable nation-states, criminals, and nonstate actors. 
Many of these are not bound by the same norms and restraints that the 
United States observes. The complex motives and methods, combined 
with a low barrier to entry, heighten the potential for damaging effects 
caused by competitor and adversary actions. 

The need to ensure that we both leverage the potential of cyberspace 
for U.S. national and global advantage and protect our systems and in¬ 
formation to ensure our prosperity and security as a nation demands 
a comprehensive, integrated strategy that provides coherence of action 
and synchronizes Federal, state, and local initiatives in cooperation with 
our partners in industry as well as with foreign governments. 
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Technology 
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Framing Cyberspace: The Possible, Permissible, and Preferable 

Because cyberspace is a domain of near-infinite complexity, we need 
models to allow us to build common theoretical frameworks to help us 
synchronize our academic research, operational planning, and high-lev¬ 
el policymaking. Nowhere is such a common operating picture more 
important than in explaining the relational positions of technology, law, 
and policy. 
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In figure 1, the outermost box represents technology—the range of 
the possible. As the largest box, it consists of everything that technolo¬ 
gists have delivered or can deliver without violating the laws of physics. 
Some of these options are lawful, some are not; others make good policy 
sense, while others do not. To extend the metaphor, the top and sides 
of the box can be extended with more time, more money, or smarter 
scientists and engineers. The bottom, however, cannot be extended—it 
represents those laws of physics and other barriers beyond our control 
that limit our expansion to the other three directions. 

The intermediate box represents the law—the limits of what is per¬ 
missible. Outside this box are options that are technically feasible but 
legally impermissible; inside the box is the full range of lawful options 
for policymakers to consider. Just as with technology, the top and sides 
of this box can be expanded—domestically by an executive order, stat¬ 
ute, or court ruling. Internationally, we can expand (or contract) this 
box with treaties or, more often, by concerted changes to state practice 
with opinio juris (the stated position that international law requires or 
permits a certain action), resulting in a reinforcement of, or change to, 
customary international law. But just as with technology, there are vir¬ 
tually unchangeable aspects of the law. Domestically, the best examples 
are fundamental constitutional norms—freedom of speech, or freedom 
from unreasonable search and seizure—that are unlikely to be altered, 
even through another constitutional amendment. Internationally, we re¬ 
fer to these near-unchangeable laws as jus cogens norms—prohibitions 
accepted by so many states for such a great length of time that only other 
jus cogens norms could displace them. Examples include the universal 
bans on piracy, slavery, grave war crimes, and genocide. This is not to say 
that these crimes do not exist but rather that their historical severity has 
rendered them unlikely to ever be legalized. Their most important aspect 
is their universal applicability, even in the face of a dissenting state. For 
international lawyers, jus cogens norms are the equivalent of the laws of 
physics. 

The innermost, and smallest, box is policy—the realm of the pref¬ 
erable. These are the policy options that make the most strategic sense, 
aligning desired ends with available means most effectively. They make 
the most political sense, whether in response to public opinion, me¬ 
dia coverage, or interest-group or thought-leader positions. They might 
be the path of least resistance within a bureaucracy, the least common 
denominator position adopted by a coalition of allies, a workable com¬ 
promise within a legislature, or an executive’s daring vision. In any case, 
they are the product of the political forces operating at the time and 
should be derived from the largest possible menu of lawful options. As 
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Figure 2. Cyberspace Issues and Federal Boundaries 
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with the other two boxes, we can imagine three sides that can be moved 
with time, money, and political capital, just as we can imagine a fourth 
side that cannot be—policy options that are considered so politically 
toxic or strategically unfeasible as to be impossible. 


Governance Framework and Policy 

Multiple partitions abound in the Federal Governments design, reflect¬ 
ing the economic and political priorities of the Industrial Age. One ef¬ 
fect is the pile-up of “cross-cutting” issues—particularly those generated 
by the disruptive information/digital age—that fail to fit neatly within 
outdated Federal agency/department boundaries. Figure 2 shows exam¬ 
ples of cyberspace issues that run across, over, rtnder, and around these 
boundaries. 

This leads to costly dysfunctionality. Issues of cyberspace become too 
fractured and segregated to fit within the logic of existing department/ 
agency mission areas. This limits responses to departmental or agen¬ 
cy-specific responsibilities, which rarely consider or incorporate all 
the other parts of a cross-cutting issue. The results are solutions with a 
higher risk of failure—for example, the persistent failure to share elec¬ 
tronic health records between DOD and the Veteran’s Administration. 
Departments and agencies waste resources and duplicate efforts. Bureau¬ 
cratic barriers bound Federal work and employees within department 
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and agency authority structures, which lose synergistic value. Moreover, 
these arrangements cause unnecessary contestation for resources and ar¬ 
guments over leadership, spending, and control at the expense of shared 
best practice solutions. 

Four reform strategies have been attempted thus far: grabbing agen¬ 
cy components to create an Industrial Age-style Department of Home¬ 
land Security, designating lead agencies, appointing “supervisory czars” 
over groups of agencies (for example, Director and Office of National 
Intelligence), and building lower-level issue-specific fusion centers for 
cross-agency information-sharing and coordination. Collectively, these 
strategies have generated modest improvements in shared situational 
awareness on the cross-cutting issues of cyberspace. They have been 
handicapped by a narrow focus, inappropriate appropriations classifica¬ 
tions, and misaligned authorities and responsibilities, leading to contin¬ 
ued duplication of effort, poor exploration of unintended consequences 
of policy actions, and constant work to address undiscovered feasibility, 
affordability, and utility issues. We offer the following recommendations: 

• Map Federal Government relationships within cyberspace writ 
large to generate shared situational awareness as the basis for ef¬ 
fectively integrating the executive branch. This map should offer a 
dashboard-style real-time presentation of connections, crossovers, 
databases, and knowledge sets of the Federal Government and ex¬ 
pand to include commercial, nongovernmental, and international 
networks. 

• As a first step to fitting the Federal Government for the digital age, 
create an empowered and resourced leadership structure in the ex¬ 
ecutive office with a cyberspace remit (rather than one focused on 
e-government or cybersecurity). 

• Task this new structure and leadership to launch a “hackathon”-style 
initiative to acquire and explore new options for executive branch 
network structures that are not dependent on current Federal Gov¬ 
ernment agency and department boundaries, budgets, and author¬ 
ities. 

• Design a collaborative follow-on strategy with congressional Mem¬ 
bers and staffs for identifying legal frameworks for authorizing, 
appropriating, and overseeing such networked and adaptive struc¬ 
tures. 
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Reviewing Cyber Authorities 

The U.S. Government has not clearly laid out the roles, responsibilities, 
and authorities (RRA) of its components for cyberspace operations. As 
a result, U.S. actions in cyberspace are nether coordinated nor synchro¬ 
nized, and resources are not coordinated to reduce inefficiency and un¬ 
intended redundancy. 

As identified in the 2016 Cybersecurity National Action Plan (CNAP), 
the Barack Obama administrations cyber policy has been based on three 
strategic pillars: raising the level of cybersecurity in American public, pri¬ 
vate, and consumer sectors; taking steps to deter, disrupt, and interfere 
with malicious cyber activity aimed at the United States or its allies; and 
responding effectively to, and recovering from, cyber incidents. 2 In addi¬ 
tion to the CNAP, areas previously addressed include information-sharing 
(Executive Order 13691 3 ), improving government information technol¬ 
ogy and information security, increasing public cyber awareness and ed¬ 
ucation, and increasing the size and quality of the military and civilian 
cyber workforce. These initiatives are helping to address the tactical and 
operational weaknesses of the United States. Unfortunately, what is miss¬ 
ing is a comprehensive framework that clearly articulates the RRA for 
Federal, state, and local governments. There are several key documents 
that address aspects of this problem, the most important of which are 
Presidential Policy Directive (PPD)-20, PPD-21, and PPD-41 4 All address 
important shortfalls, but greater synchronization and clearer authorities 
and responsibilities are needed. We offer the following recommendations: 

• Replace the patchwork of executive branch policies that describe cy¬ 
ber roles, responsibilities, and, on occasion, authorities with a single 
overarching document. 

• Ensure specificity and clarity when assigning RRA in cyberspace for 
Federal organizations. There are debates about responsibility when¬ 
ever agencies have to interpret RRA, which delays collaboration and 
hinders the sharing of information. Require rotational assignments 
for senior executives to ensure a more complete understanding of 
the roles and responsibilities of other Federal agencies. 

• Ensure this new document expands upon the framework initially 
outlined in PPD-20. Unlike PPD-41, which focuses solely on event 
response, the policy must look holistically at cyberspace to include 
planning for the building of the cyberspace terrain and how we op¬ 
erate in that terrain (both offensively and defensively). 
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• Continue the concept of using lines of effort as introduced in PPD-41. 
This format is an easy structure to understand, clearly identifies the 
supported and supporting organizations, and will enhance collabora¬ 
tion among agencies across the range of cyber activities. 

• Make the document unclassified. A major issue with PPD-20 is that 
it is a top secret document and the vast majority of the workforce 
has no idea of its contents—or even its existence. This made it 
challenging for the Federal workforce to understand how its orga¬ 
nization fit into the cyberspace architecture. In addition, the private 
sector and American people lacked knowledge of U.S. defenses and 
cyberspace capabilities. 

• Consider creating a Department of Cyber to unify capabilities and 
provide leadership. Following the U.S. Coast Guard precedent of 
having one of the Armed Forces report to an agency other than DOD, 
consider aligning U.S. Cyber Command under this new department. 


Engaging the International Community on Internet Governance 

The United States must engage the international community regarding 
Internet governance to ensure that information in cyberspace remains 
free and accessible to U.S. citizens and the global community. Fram¬ 
ing this complex challenge requires understanding the roles that cyber 
strategy, policy, regulation, and security play in Internet governance. It 
is also important to assess whether our efforts to secure the Internet and 
protect information and privacy rights are consistent with overarching 
“governing” objectives (that is, information freedom and net neutrality) 
and to ensure that our security efforts do not threaten the very liberties 
they are intended to protect. 

This is not to suggest that U.S. engagement can wait. The pace and 
scope of the Internet’s growth and the infinite ways it is evolving (with 
economic, political, and social implications) necessitate a deliberate and 
decisive engagement. While the Internet has ushered in great societal 
benefits, it has also introduced new risks, such as crime, terrorism, and 
warfare, that threaten the critical infrastructure and services on which 
societies depend. The risk borne by individuals and societies continues 
to expand as complex and tightly coupled systems 5 such as electrical 
power grids, services such as health care, and the emerging “Internet of 
things” are increasingly interconnected, moving us from the information 
age to a “network society.” 6 As with any technology, there are intended 
and unintended uses and users. There are some who desire to leverage 
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the Internet to bring local, national, and global services and benefits. 7 
There are others with nefarious intentions, introducing crime, exploita¬ 
tion, and terrorism into cyberspace. We offer the following recommen¬ 
dations: 

• Map infrastructural Internet components to identify gaps and re¬ 
dundancies in governance. 

• Incorporate cyberspace policies and standards into future bilateral 
and multilateral trade agreements to establish and reinforce needed 
international cyber norms. 

• Forge new ties with a variety of nonstate actors including indus¬ 
try, nongovernmental organizations, and international organizations 
(for example, the International Telecommunications Union, Internet 
Corporation for Assigned Names and Numbers, and so forth) to 
build a coalition of governing actors that share democratic values as 
they relate to information and cyberspace. 

• Engage the public in this policy formation process, as its under¬ 
standing of the benefits and risks associated with the Internet is 
key to its future security and resiliency. This can be accomplished 
through different forms of public forums. 


Measuring Performance in Cyberspace 

Performance management has been required of Federal agencies since 
passage of the Government Performance and Results Act of 1993. How¬ 
ever, the integration of performance information into agency decision¬ 
making is not well advanced. 8 Despite efforts by the George W Bush and 
Obama administrations, the Government Accountability Office noted 
that reported use of performance information for high-level objectives 
did not improve between 2007 and 2013. 9 Since cyber is a relatively 
new field, cyber performance management is still a fairly undefined term. 
During this developmental stage, the cyber world must embrace perfor¬ 
mance measures that link organizational strategic goals and objectives 
with strategic initiatives in order to assist government agency-level lead¬ 
ers or executives with organizational decisionmaking. 

Traditional information technology (IT) services, those commonly 
found under the domain of Federal chief information officers (CIOs), do 
have performance metrics. These existing metrics (for example, network 
availability, number of trouble tickets resolved) do not address cyber per- 
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Table. Differences Between Nuclear and Cyber Weapons 
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formance management. As a result, organizational cultures inappropri¬ 
ately place responsibility for gains from cyberspace on technicians alone. 
We offer the following recommendations: 


• Include a performance management framework for cyber in the next 
National Security Strategy (NSS). 


• Mandate agency strategies include performance measures that di¬ 
rectly align with the performance management framework in the 
NSS. 

• Develop performance measures that reflect cyberspace’s impact on 
national strategy goals such as national security, civil liberties, and 
economic growth. 


Deterrence and Offensive Cyber Operations 

Cyber deterrence is a critical component of overall strategic deterrence, 
but it is far less developed conceptually. Some see a parallel between 
nuclear weapons and cyber weapons and posit that nuclear deterrence 
models could therefore be usefully applied to cyberspace. One critical 
difference is the scalability of cyber weapons, which allows for cyber de¬ 
terrence at the operational and tactical levels. The table highlights some 
of the differences between nuclear and cyber weapons. These differences 
illuminate the need to develop a new model that incorporates the unique 
aspects of cyber deterrence. 

The target of deterrence needs to believe the deterring state has the 
capability to impose an unacceptable cost for an attack, coupled with the 
will to use that capability, or the capability to defend against or immedi¬ 
ately recover from an attack, rendering it ineffective. The highly secre¬ 
tive nature of our offensive cyber capabilities and the many restrictions 
placed on their use limit their deterrent effect. Additionally, cyber attacks 
are often difficult to trace. This lack of attribution means attackers need 
not fear retribution. Finally, leaders who feel vulnerable to retaliation or 
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find an attack to be pointless due to resilience may also hesitate to act 
or to escalate. 

Cyber weapons are part of a larger arsenal of national power that the 
United States could bring to bear to deter or, should deterrence fail, to 
defeat our enemies. While cyber weapons may be the most appropriate 
means to achieve a specified effect, other sources of national power are 
also clearly relevant to both cyber deterrence and cyber operations in 
conflict scenarios. We offer the following recommendations: 

• Support a sufficiently capable cyber force to ensure a deterrent effect 
and, should deterrence fail, to prevail in conflict scenarios. 

• Emphasize the essential nature of cyber resilience as a matter of 
broad national policy to promote necessary investments in backup 
and restoration capabilities, and invest in technologies that make 
defensive cyber operations faster and less manpower-intensive, such 
as artificial intelligence and big data analytics. 

• Direct research on the integration of cyber capabilities into deter¬ 
rence theory frameworks. 


Advancing Public-Private Partnerships 

The loss of critical infrastructure “wortld have a debilitating impact on 
security, national economic security, national public health or safety.” 10 
The majority (about 85 percent) of critical infrastructure is privately 
owned and operated, requiring a public-private partnership to provide 
its security. 11 Operating alone, the private sector is incentivized by profit 
and is averse to liability. This puts the resiliency of national critical infra¬ 
structure at risk. 

The current strategy of promoting and facilitating best practices and 
information-sharing with the government is necessary but insufficient 
to addressing sophisticated threats of organized crime, terrorists, and 
nation-states. National interests traditionally handled through law en¬ 
forcement or national defense are not aligned with the financial and rep¬ 
utational interests of the private sector. As the United Kingdom Cyber 
Security Strategy states, “Just as in the 19 th century we had to secure the 
seas for our national safety and prosperity, and in the 20 lh century we had 
to secure the air, in the 21 st century we also have to secure our advantage 
in cyber space.” 12 We offer the following recommendations: 
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• Propose legislation to accelerate and expand the provisions of the 
U.S. Cybersecurity Act of 2015. 

• Promote incentives, venues, and opportunities that encourage pri¬ 
vate-sector participation in solution development. 


Privacy and Identity 

The laws, regulations, and standards that govern the protection of per¬ 
sonal information and the release, mandatory or otherwise, of data col¬ 
lected or maintained by the U.S. Government are undergoing a period of 
review. The triple challenges of IT advances, the globalized flow of data 
for trade and other purposes, and the value, both legal and illegal, of 
individually identifiable information have caused this relook. Advances 
in IT have included an exponential increase in collection, storage, and 
processing capabilities, including the development of machine learning 
algorithms that greatly surpass human ability in pattern matching and 
discovery. The globalized flow of data is fueled by electronic commerce, 
off-shoring, and transnational workforces enabling 24/7 operations that 
flow from time zone to time zone. Finally, the value of individually iden¬ 
tifiable information enables both good and bad things: it can not only as¬ 
sist law enforcement and intelligence activities and enable better service, 
but it also fuels identity theft, fraud, and blackmail. 

This situation is exacerbated by the reality that different cultures ap¬ 
proach the definition and protection of privacy very differently. This dif¬ 
ference has complicated global commerce and international legal struc¬ 
tures, but solutions such as the European Union-U.S. Privacy Shield 
have been developed to bridge such divides. Challenges remain. Existing 
controls are structured for legacy structures and technologies. Emerging 
technologies present new challenges. This new and evolving state of af¬ 
fairs requires careful consideration to ensure that government activities 
are consistent with social values, international trade agreements, and re¬ 
ality. 

Several important initiatives are emerging to create a foundation for a 
solid path forward. The creation of the Federal Privacy Council is criti¬ 
cal to these efforts and signals the importance with which the problems 
associated with privacy and technology are considered. Similarly, the 
National Institute of Standards and Technology (NIST) has begun twin 
efforts in developing guidance and standards for privacy and de-iden¬ 
tification processes. Emerging research from academia and industry in 
topics such as privacy labeling and management, database privacy, and 
differential privacy is critical to the development of tools and practices 
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for privacy problems. There is an emerging community of practice of 
privacy officers, mathematicians, computer scientists, and civil libertar¬ 
ians that provides fora for the discussion and presentation of research. 
Building on these initiatives provides a way forward to address privacy 
and data release concerns. We offer these recommendations: 

• Leverage the Privacy Council and NIST efforts to provide intellectu¬ 
al support to the community of practice and create feedback mech¬ 
anisms to U.S. Government efforts. 

• Prioritize funding the National Science Foundation and other gov¬ 
ernment research to support existing privacy enhancing functional 
research, such as differential privacy. 

• Fund research into the future of privacy, such as the issues associated 
with big data analysis that derives private information from contex¬ 
tual data, a lack of published information, or from cross-referencing 
information from multiple sources. All these approaches have been 
used to expose private information and present significant challeng¬ 
es for both individuals who wish to keep aspects of their lives secret 
and for governments that need to keep aspects of operations (such 
as research and development and counterintelligence efforts) secret. 

• Sponsor research into cascading effects from privacy violations that 
subvert national goals in order to reveal currently unimagined poli¬ 
cy and scientific needs. 


Foreseeing the Future of Identity 

Concepts ol identity are evolving in ways that are difficult to predict. In 
the past, identity elements were defined through elements of person- 
hood (name, eye color), job (title, responsibilities), profession (lawyer, 
doctor), relationship (family or network member), interests (hobbies, 
habits), culture (values and belief systems, heritage, citizenship), and 
political structures. Layering on those established identity elements are 
new, cyber-enabled identities, which may or may not relate closely (or at 
all) to physical reality. 

Cyber identities may be expressed through a variety of means, includ¬ 
ing avatars in artificial worlds, software bots that execute behaviors (such 
as troll armies), affiliation with ad hoc communities (such as Anony¬ 
mous), or as social media characters. Besides being new ways to create 
or express identity, these cyber-enabled identity elements can be difficult 
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to relate to real people and thus cause challenges in realms as diverse as 
national security and mental health. As cyber-innovation continues at 
its breakneck pace, cyber-enabled identities and identity elements will 
continue to evolve and mutate in ways that are difficult to predict, in¬ 
cluding allowing people to "live” or express themselves through multiple 
different identities or even many cloned identities. 

There are important implications for this emerging fluidity in identity. 
One is in governance: when one person can have multiple identities, 
that person can opt in to multiple governance structures, ranging from 
political to practice to commercial. Another is in security: identities can 
be used to disguise or hide subversive activities, but may also be used 
effectively to discover and understand alternative ways of thinking and 
acting. There is benefit and worry; the balance between the two requires 
significant understanding and structural philosophical approaches. We 
offer the following recommendations: 

• Appoint an interagency working group, with representatives from 
the Justice, State, Defense, Transportation, and Homeland Security 
departments, to formulate, lead, and coordinate legal approaches, 
domestically and internationally, because cyber-enabled identities 
can easily engage in behavior that crosses jurisdictional boundaries. 

• Create an office in the Department of Homeland Security to engage 
in dialogue with communities formed in the virtual world by cy¬ 
ber-enabled identities for communication and intelligence. 

• Fund research into the implications (for example, psychological ef¬ 
fects or national security considerations) of single individuals engag¬ 
ing in the virtual world through multiple cyber identities. 


Technology for Governance 

Explosive growth of unstructured data demands solutions to the challenge 
of information management. As the use of mobile devices and sensors 
grows and evolves, experts expect data volume to grow to over 4,300 per¬ 
cent of 2009 levels by the year 2020. The Federal Government faces a need 
to shift from collecting data to gaining new insights, identifying unexpect¬ 
ed patterns and trends, and using data analytics to find new solutions to 
complex problems—an analysis best conducted using data visualization 
techniques. Unfortunately, correctly interpreting trends and patterns hid¬ 
den in the data requires special skills in information and computing tech¬ 
nologies that are lacking in the current cyber workforce. Additionally, ap- 
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propriate investment in the underlying technologies themselves lags well 
behind need. Ultimately, information processing and visualization must be 
improved for national leadership to make sense of the proliferation of data 
in order to inform policy and decisionmaking. 

Visual analytics is an especially compelling technology because of its 
potential to facilitate leaderships ability to understand a situation quickly 
and clearly and to make better decisions. However, a major challenge, in 
addition to a very small talent pool, is the level of funding required for 
high-end visualization resources and machine learning capability Google 
researchers note that machine learning can solve problems that no other 
methods can but that the cost of the technology and maintenance of the 
algorithms is significant and may be out of reach for individual organiza¬ 
tions. 13 A collective approach to develop capabilities that could then be 
further customized for individual organizational use is warranted to make 
these technologies affordable. We offer the following recommendations: 

• Tap private sector and academic research to inform development of 
objectives and policy regarding data visualization capabilities. 

• Direct NIST to move more aggressively to instantiate a collaborative 
model to catalyze development of data visualization capabilities for 
the purpose of government sense-making and decisionmaking. 


Decoding Encryption: Aligning Technology, Law, and Policy 

The Nation faces the risk that our adversaries’ use of encryption technol¬ 
ogies to “go dark” will cause the loss of the ability to surveil their actions 
in cyberspace. 14 Terrorists are using the Dark Web and strong encryption 
technologies to plan and execute their operations protected from gov¬ 
ernment surveillance. 15 National security and law enforcement entities 
desire a backdoor or master key built into the encryption algorithms or 
legislation compelling companies to engineer their software allowing for 
searches to surveil terrorists and investigate criminals. 

The cryptographic, scientific, and technologic communities are unit¬ 
ed in saying strong encryption is an all-or-nothing position and that 
weaker encryption jeopardizes the global infrastructure of trust. Encryp¬ 
tion is founded in mathematical principles and is considered strong only 
when it is subjected to rigorous public scrutiny. A weakness—whether 
accidental or legislative—is a globally exploitable feature. 

Strong encryption is important to national security. Critical infrastruc¬ 
ture, banking, commerce, and communications all rely on strong en¬ 
cryption for security. Encryption protects and enables national defense, 
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commercial activities, and freedom of speech. Public and private entities 
use strong encryption to fulfill their obligations to protect personal infor¬ 
mation under legislation (for example, the Health Insurance Portability 
and Accountability Act and the Privacy Act of 1974). 

Recent attacks in the United States, France, Belgium, and Turkey aid¬ 
ed by secret communications using strong encryption provide a case to 
limit it. This, however, would not be effective. Encryption technologies 
used by criminals and terrorists are not controlled solely by U.S. com¬ 
panies or interests and cannot be effectively curtailed though U.S. leg¬ 
islation. Additionally, methods to surveil and apprehend criminal and 
terrorist actors who use encrypted technologies do exist. These methods 
exploit how the actors build and use encryption technologies and the 
infrastructures of the Dark Web. Additional research is needed, as many 
methods and techniques were exposed and rendered ineffective by the 
Edward Snowden leaks of 2013, but others can be developed. We offer 
the following recommendations: 

• Support use of strong encryption, acknowledging its utility for pro¬ 
tecting citizen data. 

• Require use of strong encryption technologies in the Nations critical 
infrastructure. 

• Invest in advanced tools to identify and surveil criminal and terror¬ 
ist actors. 


Developing a Coherent Artificial Intelligence Agenda 

Between May and July 2016, the U.S. Office of Science and Technology 
Policy (OSTP) completed four public workshops on artificial intelligence 
(AI) to “identify challenges and opportunities related to this emerging 
technology.” 16 Focus areas included legal and governance, use for public 
good, safety and control, and social and economic implications. Addi¬ 
tionally, OSTP created a new National Science and Technology Council 
(NSTC) Subcommittee on Machine Learning and Artificial Intelligence 
to coordinate Federal Government activities in these areas. These two 
initiatives demonstrate that AI is gaining attention, but they do not con¬ 
stitute a strategy for assessing the associated benefits and risks in a com¬ 
prehensive manner. 

With the imminent arrival of self-driving vehicles and precision 
autonomous weapons systems, it is imperative that the United States 
advance a coherent AI agenda addressing the technological, legal, and 
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policy implications of this technological revolution. Failure to do so 
threatens to leave the Nation incapable of benefiting from AI use for the 
government or influencing responsible AI use in the private sector. We 
offer the following recommendations: 

• Charge the newly formed NSTC Subcommittee on Machine Learn¬ 
ing and Artificial Intelligence to maintain currency on AI capabilities 
and trends, regularly convene diverse experts in the field, offer ex¬ 
panded participation in the subcommittee, and produce actionable, 
timely AI goals. 

• Complete a formal review of White House expectations to influence 
private AI use and implementation of AI in government. 

• Conduct outreach to address public fears that AI may cause loss of 
jobs or that autonomous machines may threaten public safety. 


Modernizing Government Cyber Infrastructure 

The White House and Congress must continue to reform IT acquisition 
practices in order to meet modernization goals and objectives. Numerous 
studies and congressional testimonies have highlighted the need for a syn¬ 
chronized and cohesive strategy to plan, program, budget, and execute 
modernization of IT. A May 2016 report by the Government Accountabil¬ 
ity Office (GAO) found that Federal agencies are spending almost 75 per¬ 
cent of the $88 billion IT budget to maintain legacy systems. 17 The report 
specifically identified that 5,233 of approximately 7,000 Federal IT sys¬ 
tems are spending all of their funds on operations and maintenance costs. 
By comparison, development, modernization, and enhancement spending 
for the same programs represents less than 25 percent of spending and 
has declined $7.3 billion since 2010. The study also highlighted that nu¬ 
merous systems were developed decades ago with parts and programming 
languages that are now obsolete and pose significant risk. Some of the pro¬ 
grams, such as the DOD program that coordinates the operational func¬ 
tions of the Nation’s nuclear forces, were developed over 50 years ago and 
use 8-inch floppy disks that have long ceased being produced. In other 
cases, agencies rely on outdated operating systems such as those from Mi¬ 
crosoft in the 1980s and 1990s that ceased vendor support long ago. As a 
result, the GAO study found that agencies spend significantly more to hire 
and maintain programmers who hold specific skill sets as well as expose 
increased security risks. This comes at a time when more than $3 billion 
worth of Federal IT investments will reach end-of-life in the next 3 years. 
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In response to these issues, the Office of Management and Budget 
(OMB) developed the IT Modernization Fund (ITMF). 18 The fund, as 
part of the White Flouse’s Cybersecurity National Action Plan, follows up 
on the gains made from the Federal IT Acquisition Reform Act in 2014. 19 
The ITMF is in line with the recommendations from the May 2016 GAO 
report and supports other modernization initiatives such as the General 
Services Administration (GSA) 18F program. 20 Success of the ITMF is at 
risk unless several major weaknesses are addressed. We offer the follow¬ 
ing recommendations: 

• Establish a centralized board of experts to identify and prioritize the 
most pressing legacy IT systems to be targeted for replacement with 
a smaller number of common platforms. 

• Provide an initial $3.1 billion in seed funding. Based on calculations 
provided by OMB, the funding will address at least $12 billion in 
modernization projects and generate the momentum needed to es¬ 
tablish a repayment process to ensure the ITMF is self-sustaining. 

• Establish, under the oversight of the GSA, a centralized fund sup¬ 
porting agency modernization plans, competitively distributed 
based on plan quality. 

• Leverage GSA experts in IT acquisition and development to support 
agencies in implementing their modernization plans. 


Improving the Cybersecurity Workforce 

U.S. national security, the protection of critical infrastructure, and the ef¬ 
fective functioning of the Federal Government require reliable and secure 
cyber-based government assets supported by a professional cybersecuri¬ 
ty workforce that protects these assets from all types of threats, including 
cyber attacks. Recent breaches, including those resulting in significant 
data losses at the Office of Personnel Management (OPM) and Internal 
Revenue Service, revealed that the cybersecurity workforce is significant¬ 
ly challenged in protecting the government’s cyber-based assets against 
attacks. Efforts to generate the numbers of personnel with the requisite 
competencies have been unsuccessful. The government lacks a coherent 
and comprehensive approach to improve the cybersecurity workforce. 

OPM has a responsibility to develop a holistic and proactive approach 
to improve the cybersecurity workforce. This approach must include, 
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but not be limited to, recruiting, hiring, developing, and retaining. We 
offer the following recommendations: 

• Establish a cybersecurity executive council composed of senior ex¬ 
ecutives from each department and agency to establish the execu¬ 
tive governance for cybersecurity workforce policies, initiatives, and 
strategies. 

• Develop and publish an updated job specialty standard specific to 
cybersecurity positions to establish a single authoritative source for 
cybersecurity positions. 

• Establish common higher-level cybersecurity edrtcational criteria to 
create a baseline for cybersecurity educational requirements. 

• Offer tuition assistance, reimbursement, and scholarships to en¬ 
hance retention of government cybersecurity workforce members 
and attract new employees from the private sector. 

• Index compensation for specific cybersecurity workforce positions 
to comparable private sector positions in order to retain top per¬ 
formers. 

• Require quarterly progress reports until these actions are fully im¬ 
plemented. 


Sensing and Responding for Agile Government 

Information technologies now feed a swelling appetite for real-time in¬ 
formation. Citizens demand and rely on data from their mobile devices 
to make decisions (such as travel routes or which consumer product to 
buy) that can immediately disrupt markets or drive new behaviors. Pri¬ 
vate industry recognizes this as part of doing business in the 21 st century. 
Governments have not realized this and have failed to find ways to use 
it to drive innovations. 

Failure to adopt a strategy to serve citizen needs for information that 
leverages the opportunities of technology while avoiding the inherent 
challenges (privacy concerns, information overload, and so forth) plac¬ 
es the government at risk of losing relevance, confidence, and trust in 
the eyes of its citizenry. Citizens will find information elsewhere and 
construct their own stories about particular experiences with govern¬ 
ment entities based on their perceptions of the value realized from the 
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interaction. Worse yet, citizens may find governance of no value or fill 
any vacuum with information from untrustworthy or biased sources to 
construct their perception of events and motivations. 

These alternate sources have demonstrated their ability to seize op¬ 
portunities to sense public mood and provide the storylines that will 
advance their cause by taking advantage of gaps in public information 
and any signs of insecurity or fear. They feel no obligation to be truthful 
or unbiased. The same dynamic has reduced the time allowed, from the 
emergence of a public policy issue through the development and imple¬ 
mentation of policy to address it, such that the failure to immediately 
address a problem is viewed as unresponsiveness. Civil movements rely 
on cost-effective, instantly deployed social media platforms to engage 
advocates and escalate favorable public opinion. These same platforms 
can be used to cultivate public friction and hateful or counterproductive 
civic positions that present obstacles to positive government initiatives. 

In this context, government has also failed to seize the opportunity 
to employ the same information technologies to develop a better sense 
of how citizens perceive public good and how they find value in gov¬ 
ernment service delivery models. There is a need for the administration 
to establish a sensing framework to develop insights regarding if it is 
serving or failing to serve those to whom it is accountable. This applies 
whether dealing with cyberspace or traditional governmental obligations 
in establishing trust and engagement by the technology-enabled citizen. 
A positive outcome of such an initiative would be the repackaging of 
government data and information to proactively explain internal deci¬ 
sion factors, competing agendas, and crowdsourced data gaps to external 
consumers. This could illuminate the complexity of governance activities 
and decrease the need to seek substitute data sources. Effectively it offers 
content for civic education and distributes responsibility for governance 
to a community of interested people. This new vision embeds contem¬ 
porary consumer sense-making in the practices of the good governance. 
We offer the following recommendations: 

• Charge the Federal CIO with rapidly crafting a strategy to synchro¬ 
nize and elevate e-government initiatives into effective citizen en¬ 
gagement capabilities addressing needs for information dissemina¬ 
tion, service provision, and gauging citizen valuation of government 
policy, services, and transparency. 

• Link agency IT funding to successful implementation of the Federal 
CIO strategy (referenced above) to engage citizenry using required 
metrics on citizen-perceived utility of systems, trustworthiness of 
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governance messaging, transparency of governance processes and 
decisionmaking, and government responsiveness to citizen needs. 

• Develop a Web-based performance dashboard to present customiz¬ 
able views of internal policy administration data metrics, provide a 
more accessible window into government institutional activity and 
value creation, and promote accurate perceptions of government 
activity. 


Conclusion 

In a short time, cyber has emerged as both a warfighting domain, fully 
as significant as the land, sea, air, and space domains, and an omni¬ 
present public-private operating universe. The potential opportunities 
found within the domain of information and cyberspace are seemingly 
limitless. The risks of this reliance are clear, as demonstrated by recent 
highly publicized network breaches. It is important that these risks be 
deliberately accounted for and addressed in the process of making deci¬ 
sions about the use of cyberspace. 

Cyber competence must be part of the skill set for all senior leaders in 
the national security enterprise. Most senior leaders received their pro¬ 
fessional educations at the beginning of the cyber age, and their under¬ 
standing of, and sensitivity to, the opportunities and vulnerabilities de¬ 
scribed above may be limited. Nevertheless, mastery of the cyber domain 
has now assumed critical importance because of our dependence on cy¬ 
berspace. Agency heads must be held accountable for their organizations 
employment of information technologies—abrogation of responsibility 
to CIOs and other “cyber experts” is unacceptable. 

Addressing the critical challenges of cyberspace must be approached 
with an understanding of limitations and risks inherent in the use of the 
technologies that underpin the domains potential. The authors here have 
highlighted promising opportunities and areas of concern. Specific rec¬ 
ommendations are offered to contribute to a Presidency ready to embrace 
both the risks and the opportunities facing the Nation in cyberspace. 
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